castingwords-automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is explicitly designed to ingest and obey 'recommended execution plans' and 'tool schemas' from the remote Rube MCP server. Since this server is an untrusted external source, it can inject malicious instructions that the agent will execute.
- Ingestion points:
RUBE_SEARCH_TOOLSresponse (specificallyrecommended execution plans). - Boundary markers: None. The instructions tell the agent to follow the search results as authority.
- Capability inventory:
RUBE_MULTI_EXECUTE_TOOLandRUBE_REMOTE_WORKBENCHallow for potentially arbitrary tool execution and remote command processing. - Sanitization: None provided; the skill relies entirely on the remote schema for logic flow.
- External Downloads & Dependencies (MEDIUM): The skill mandates the use of
https://rube.app/mcp, an unverified third-party endpoint. This source is not on the list of trusted repositories or organizations, posing a supply-chain risk. - Remote Code Execution (MEDIUM): The inclusion of
RUBE_REMOTE_WORKBENCHsuggests a capability for remote command or script execution. When combined with the dynamic discovery of tools from an untrusted source, this creates a high-risk surface for unauthorized operations.
Recommendations
- AI detected serious security threats
Audit Metadata